US12592920B2ActiveUtilityA1

Granular authorization flow in a distributed, multi-domain computing system

53
Assignee: DISNEY ENTPR INCPriority: Jan 25, 2024Filed: Jan 25, 2024Granted: Mar 31, 2026
Est. expiryJan 25, 2044(~17.5 yrs left)· nominal 20-yr term from priority
H04L 63/20H04L 63/083
53
PatentIndex Score
0
Cited by
23
References
20
Claims

Abstract

The present invention sets forth a technique for automatically managing access control authorization in a distributed computing system. This technique includes receiving an access request from a requesting entity and recording the access request in an audit log. The technique also includes retrieving access control policies associated with the access request and retrieving attribute data values from an entity data store. The technique further includes generating an access request evaluation based on the access request, the access control policies, and the attribute data values. The technique further includes transmitting the access request evaluation to the requesting entity.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A computer-implemented method for performing authorization flow, the computer-implemented method comprising:
 receiving an access request from a requesting entity in a distributed computing system, wherein the access request specifies an automated workflow and includes first attribute values associated with one or more executable commands included in the automated workflow;   retrieving one or more access control policies associated with the access request;   retrieving, from an entity data store, second attribute values for one or more attributes included in the one or more access control policies;   generating, based on the first and second attribute values and the one or more access control policies, an access request evaluation; and   transmitting the access request evaluation to the requesting entity.   
     
     
         2 . The computer-implemented method of  claim 1 , wherein the automated workflow is a first automated workflow, and the requesting entity is one of a human user, a computing system component, or a second automated workflow. 
     
     
         3 . The computer-implemented method of  claim 1 , wherein the access request includes contextual attribute data associated with the requesting entity, a resource, or an action. 
     
     
         4 . The computer-implemented method of  claim 1 , wherein the access request evaluation is an access request approval, the computer-implemented method further comprising:
 generating an authorization token associated with the access request approval; and   transmitting the authorization token to the requesting entity.   
     
     
         5 . The computer-implemented method of  claim 1 , further comprising storing the access request in an audit log. 
     
     
         6 . The computer-implemented method of  claim 1 , wherein the computer-implemented method further comprises:
 determining a plurality of users included in the entity data store;   generating, for each user in the plurality of users, an associated access request evaluation based on the access request and the user;   generating a subset of the plurality of users for which the access request evaluation associated with the user is an access request approval; and   displaying, via a graphical user interface, the subset of the plurality of users.   
     
     
         7 . The computer-implemented method of  claim 1 , wherein the computer-implemented method further comprises receiving, via an application programming interface, an identity token associated with the requesting entity. 
     
     
         8 . One or more non-transitory computer-readable media storing instructions that, when executed by one or more processors, cause the one or more processors to perform the steps of:
 receiving an access request from a requesting entity in a distributed computing system, wherein the access request specifies an automated workflow and includes first attribute values associated with one or more executable commands included in the automated workflow;   retrieving one or more access control policies associated with the access request;   retrieving, from an entity data store, second attribute values for one or more attributes included in the one or more access control policies;   generating, based on the first and second attribute values and the one or more access control policies, an access request evaluation; and   transmitting the access request evaluation to the requesting entity.   
     
     
         9 . The one or more non-transitory computer-readable media of  claim 8 , wherein the automated workflow is a first automated workflow, and the requesting entity is one of a human user, a computing system component, or a second automated workflow. 
     
     
         10 . The one or more non-transitory computer-readable media of  claim 8 , wherein the access request includes contextual attribute data associated with the requesting entity, a resource, or an action. 
     
     
         11 . The one or more non-transitory computer-readable media of  claim 8 , wherein the access request evaluation is an access request approval, the computer-implemented method further comprising:
 generating an authorization token associated with the access request approval; and   transmitting the authorization token to the requesting entity.   
     
     
         12 . The one or more non-transitory computer-readable media of  claim 8 , wherein the instructions further cause the one or more processors to perform the step of storing the access request in an audit log. 
     
     
         13 . The one or more non-transitory computer-readable media of  claim 8 , wherein the instructions further cause the one or more processors to perform the steps of:
 determining a plurality of users included in the entity data store;   generating, for each user in the plurality of users, an associated access request evaluation based on the access request and the user;   generating a subset of the plurality of users for which the access request evaluation associated with the user is an access request approval; and   displaying, via a graphical user interface, the subset of the plurality of users.   
     
     
         14 . The one or more non-transitory computer-readable media of  claim 8 , wherein the instructions further cause the one or more processors to perform the step of receiving, via an application programming interface, an identity token associated with the requesting entity. 
     
     
         15 . A system comprising:
 one or more memories storing instructions; and   one or more processors for executing the instructions to:   receive an access request from a requesting entity in a distributed computing system, wherein the access request specifies an automated workflow and includes first attribute values associated with one or more executable commands included in the automated workflow;   retrieve one or more access control policies associated with the access request;   retrieve, from an entity data store, second attribute values for one or more attributes included in the one or more access control policies;   generate, based on the first and second attribute values and the one or more access control policies, an access request evaluation; and
 transmitting the access request evaluation to the requesting entity. 
   
     
     
         16 . The system of  claim 15 , wherein the automated workflow is a first automated workflow, and the requesting entity is one of a human user, a computing system component, or a second automated workflow. 
     
     
         17 . The system of  claim 15 , wherein the access request includes contextual attribute data associated with the requesting entity, a resource, or an action. 
     
     
         18 . The system of  claim 15 , wherein the access request evaluation is an access request approval and the one or more processors are further configured to:
 generate an authorization token associated with the access request approval; and   transmit the authorization token to the requesting entity.   
     
     
         19 . The system of  claim 15 , wherein the one or more processors are further configured to store the access request in an audit log. 
     
     
         20 . The system of  claim 15 , wherein the one or more processors are further configured to:
 determine a plurality of users included in the entity data store;   generate, for each user in the plurality of users, an associated access request evaluation based on the access request and the user;   generate a subset of the plurality of users for which the access request evaluation associated with the user is an access request approval; and   display, via a graphical user interface, the subset of the plurality of users.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.